# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-openstack flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext* -> /**,
  mount fstype=nbd* -> /**,
  mount fstype=xfs -> /**,
  mount fstype=btrfs -> /**,
  mount fstype=vfat* -> /**,
  mount fstype=fuseblk -> /**,
  mount fstype=nbd* -> /**,
  mount fstype=nfs* -> /**,
  mount fstype=rpc_pipefs,
  mount fstype=devpts,

# allow System access.
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,
  mount fstype=proc -> {{ lxc_container_cache_path }}/**,
  mount fstype=sysfs -> {{ lxc_container_cache_path }}/**,
  mount options=(rw,remount),
  mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/,
}
